======================================================================== Revive Adserver Security Advisory REVIVE-SA-2021-001 ------------------------------------------------------------------------ https://www.revive-adserver.com/security/revive-sa-2021-001 ------------------------------------------------------------------------ CVE-IDs: CVE-2021-22871, CVE-2021-22872, CVE-2021-22873 Date: 2020-01-19 Risk Level: Low Applications affected: Revive Adserver Versions affected: <= 5.0.5 Versions not affected: >= 5.1.0 Website: https://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability 1 - Persistent XSS ======================================================================== Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] CVE-ID: CVE-2021-22871 CVSS Base Score: 3.5 CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N CVSS Impact Subscore: 2.5 CVSS Exploitability Subscore: 0.9 ======================================================================== Description ----------- A persistent XSS vulnerability has been discovered by security researcher Keyur Vala. An attacker with manager account credential could store HTML code in a website property, which could subsequently been displayed unescaped on a specific page by other users in the system. Details ------- Any user with a manager account could store specifically crafted content in the URL website property which was then displayed unsanitised in the affiliate-preview.php tag generation screen, potentially by other users in the system, allowing a persistent XSS attack to take place. The target users would however mostly have access to the same resources as the attacker, so the practical applications are not considered particularly harmful, especially since the session cookie cannot be accessed via JavaScript. References ---------- https://hackerone.com/reports/819362 https://github.com/revive-adserver/revive-adserver/commit/89b88ce26 https://github.com/revive-adserver/revive-adserver/commit/62a2a0439 https://cwe.mitre.org/data/definitions/79.html ======================================================================== Vulnerability 2 - Reflected XSS ======================================================================== Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] CVE-ID: CVE-2021-22872 CVSS Base Score: 4.3 CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Impact Subscore: 1.4 CVSS Exploitability Subscore: 2.8 ======================================================================== Description ----------- Security researcher Axel Flamcourt has discovered that the fix for the reflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on older browsers with specifically crafted payloads to the publicly accessible afr.php delivery script of Revive Adserver. The practical applications are not considered particularly harmful, especially since the session cookie cannot be accessed via JavaScript. Details ------- The previous fix was working on most modern browsers, but some older browsers are not automatically url-encoding parameters and would leave an opportunity to inject closing and opening script tags and achieve reflected XSS attacks e.g. on IE11. References ---------- https://hackerone.com/reports/986365 https://www.revive-adserver.com/security/revive-sa-2020-001 https://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e https://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50 https://cwe.mitre.org/data/definitions/79.html ======================================================================== Vulnerability 3 - Open Redirect ======================================================================== Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') [CWE-601] CVE-ID: CVE-2021-22873 CVSS Base Score: 5.4 CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Impact Subscore: 2.5 CVSS Exploitability Subscore: 2.8 ======================================================================== Description ----------- An opportunity for open redirects has been available by design since the early versions of Revive Adserver's predecessors in the impression and click tracking scripts to allow third party ad servers to track such metrics when delivering ads. Historically the display advertising industry has considered that to be a feature, not a real vulnerability. Things have evolved since then and third party click tracking via redirects is not a viable option anymore, therefore any functionality using open redirects in delivery scripts have been removed from Revive Adserver. Details ------- The lg.php and ck.php delivery scripts were subject to open redirect via either dest, oadest and/or ct0 parameters. All of them are now ignored and redirects only performed (when applicable) to destination URLs stored in the properties of the banner being displayed. A new signed click delivery script has been introduced with an HMAC signed destination parameter, allowing customisable destination URLs while avoiding destinations from being tampered with by attackers. References ---------- https://hackerone.com/reports/1081406 https://github.com/revive-adserver/revive-adserver/issues/1068 https://cwe.mitre.org/data/definitions/601.html ======================================================================== Solution ======================================================================== We strongly advise people to upgrade to the most recent 5.1.0 version of Revive Adserver. ======================================================================== Contact Information ======================================================================== The security contact for Revive Adserver can be reached at: . Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/